RTSP: avoid integer overflow on funny RTSP response #1969
Conversation
lib/http.c
Outdated
| &rtspversion_major, | ||
| &conn->rtspversion, | ||
| &k->httpcode); | ||
| &k->httpcode, &wall); | ||
| if(nc == 3) { |
There was a problem hiding this comment.
Is this still going to match? If all fields match, isn't sscanf going to return 4 instead?
There was a problem hiding this comment.
sscanf() is a bit tricky to use for this matching. It doesn't really care about the spaces in the match string so an input like 1.1234567 200 (ie an illegal string) will match %1d.%d %3d and store 1, 1 and 234 and return 3. I don't think we want that.
So with %1d.%d %3d %d I want the above input to store 1,1,234, 567 and return 4, which isn't and shouldn't be a match.
While explaining this I think the case where the input says 1.1 200 200 reasons to be fine is also going to not match while it is a fine input. The second "200" just happens to be part of the string...
I'll improve the logic.
| # Server-side | ||
| <reply> | ||
| <data> | ||
| RTSP/1.1234567 200 OK |
There was a problem hiding this comment.
Your sscanf has wall coming from %d. Is "OK" going to be matched by %d?
... like a very large non-existing RTSP version number. Added test 577 to verify. Detected by OSS-fuzz.
bagder
force-pushed
the
bagder/rtsp-integer-overflow
branch
from
b73b4d3
to
6df6367
Compare
... like a very large non-existing RTSP version number.
Added test 577 to verify.
Detected by OSS-fuzz.